Web versions

Best of 2021 – Chrome to enforce HTTPS web protocol (whether you like it or not)

As we close out 2021, we at Security Boulevard wanted to highlight the most popular items of the year. Here’s the next in our series of the best of 2021.

If you type securityboulevard.comChromium version 90 will direct you directly to the secure version of the site. Surprisingly, he’s not currently doing that. Instead, Google’s web browser relies on the insecure site to silently redirect you.

It’s slow. And it’s a privacy issue, potentially. This seemingly insignificant change could have a big impact, even if it is not visible.

Goodbye, clear web. In today’s SB Blogwatch, we barely knew you.

Your humble blogwatcher curated these blog bits for your entertainment. Not to mention: Preparing breakfast.

What a difference an ‘s’ makes

What is craic? Thomas Claburn reports—“Chrome 90 switches to HTTPS by default”:

Lack of security is currently the norm in Chrome. … The same is true in other browsers. … This made sense in the past when most websites didn’t implement HTTP support.

But these days, most loaded web pages rely on a secure transport. … Of the top 100 websites, 97 of them currently use HTTPS by default. [So] When version 90 of Google’s Chrome browser arrives in mid-April, early visits to the website will default to a secure HTTPS connection.

Not bad your story man. Brian Fagioli gives him the beams—”Google Chrome 90 to use HTTPS by default”:

As usual, humans are often ignorant or lazy when it comes to their own online safety. In the end, it’s up to companies to protect us. …This time around, the hugely popular Chrome web browser is getting more secure with a simple tweak.

Chrome 90 won’t be officially released as stable until April, so it’s not a change users will see immediately. Fortunately, since Google reverts the web browser to http:// when https:// is not available, this should be without incident. [But] If you own or manage a website that doesn’t already use https://, it’s time to make that switch.

But maybe you already have it, as Joël Khalili explains—”a small but important upgrade”:

Last month, the change took effect for a small proportion of users with the Chrome 89 update. With testing now complete, HTTPS will become the default protocol for half-finished URLs with Chrome 90, which is currently set for a full public release on April 13… (the change won’t take effect for iOS users until a later date).

If an incomplete URL is entered… Chrome will automatically direct all incomplete URL requests to the corresponding HTTPS address (eg https://example.com), provided the website supports the new protocol. … The browser also blocks downloads from HTTP sources that are under an HTTPS page, which prevents malicious actors from tricking victims into believing that a download is from a trusted source.

Use the source, Luke. #include Shweta Panditrao and Mustafa Emre Acer—“A safer default”:

Starting with version 90, Chrome’s address bar will use https:// by default, improving privacy and even loading speed. …Chrome users who browse websites by manually typing a URL often don’t include “http://” or “https://”.

Users often type “example.com” instead of “https://example.com” in the address bar. In this case, if this was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol… (a notable exception to this is any site on the HSTS preload list ).

Chrome will now default to HTTPS for most typed browsing that doesn’t specify a protocol… (IP addresses, single-label domains, and reserved hostnames such as test/ or localhost/ will continue to use HTTP by fault). …Chrome will revert to HTTP when the HTTPS attempt fails (including certificate errors, such as name mismatch or untrusted self-signed certificate, or connection errors).

This change is a step closer to ensuring that Chrome always uses secure connections by default. … In addition to being a big improvement in security and privacy, this change improves the initial load speed of sites that support HTTPS, since Chrome will connect directly to the HTTPS endpoint without needing to be redirected.

Sounds like a good idea. At least porn can see the meaning:

It makes sense. Adoption of HTTPS is now very high, and this could push it a little further. … The Web is quite usable without HTTP in the clear.

An interesting side effect of the change is that sites will no longer have a working HTTP redirect. Inevitably, there will be sites that let their HTTP versions rot and break, eventually forcing all other web clients to default to HTTPS for web compatibility.

Corn Mike 137 feels a little harassed:

What I would really like is to be allowed to make my own choices and decisions, rather than having an outside party that I can’t influence in any way telling me what I can and can’t do. …Strengthened controls do not really replace informed users because they are gradually being circumvented in the arms race. However, keeping users uninformed generates a lot more dosh, so the controls applied are the sticky plaster.

Isn’t Google the Benevolent Dictator he pretends to be? People such as pagan Do not think:

It’s a stupid idea. Forcing https down people’s throats is a dumb idea in general, but it wouldn’t have been so bad if it hadn’t been forced…on people by what is basically a monopoly.

Looking back, isn’t the web complicated now? Elledan yearns for the good old days:

Sometimes I wonder how we old fogies ever got through the internet of the 90s and 2000s in one piece without the invisible hand of privacy guiding our every move, or forcing us into submission if we dare to stray from the curly path. …I think they told us not to give out any personal information and to always use a nickname online.

Don’t talk to strangers, basically.

But why are we focusing on the privacy angle? Ajedi32 feels the need – the need for speed:[Talk to me, Goose—Ed.]

It seems to be mainly a performance optimization. … One round trip less when browsing a site by typing the domain name.

During this time, Hubert Cumberdale seems slightly contradictory:

I still hate Google, and I still don’t think they should have that power. I’m just glad they’re making it something I approve of, for once.

And finally:

How to make breakfast…wait, what?

Hat tip: Marc Frauenfelder

Previously in And finally

Have you read SB Blogwatch through Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Sauce picture: Denis Skley (cc:by-nd)